Raritan PX2/PX3 JSON-RPC API
Security.idl
1 /* SPDX-License-Identifier: BSD-3-Clause */
2 /*
3  * Copyright 2009 Raritan Inc. All rights reserved.
4  */
5 
6 #include <UserEvent.idl>
7 
8 /**
9  * %Security Configuration
10  */
11 module security {
12 
13  /** IP packet filter policy */
14  enumeration IpfwPolicy {
15  ACCEPT, ///< Accept the packet
16  DROP, ///< Silently discard the packet
17  REJECT ///< Discard packet, send error response
18  };
19 
20  /** IP packet filter rule */
21  structure IpfwRule {
22  string ipMask; ///< Remote IP and network mask
23  IpfwPolicy policy; ///< Filter policy
24  };
25 
26  /** IP packet filter configuration */
27  structure IpFw_2_0_0 {
28  boolean enabled; ///< \c true to enable packet filtering
29  IpfwPolicy defaultPolicyIn; ///< The default policy for inbound traffic in case no rule matches
30  IpfwPolicy defaultPolicyOut; ///< The default policy for outbound traffic in case no rule matches
31  vector<IpfwRule> ruleSetIn; ///< Ordered list of inbound firewall rules
32  vector<IpfwRule> ruleSetOut; ///< Ordered list of outbound firewall rules
33  };
34 
35  /** Role-based access policy */
36  enumeration RoleAccessPolicy {
37  ALLOW, ///< Access granted
38  DENY ///< Access denied
39  };
40 
41  /** Role-based access rule */
42  structure RoleAccessRule {
43  string startIp; ///< Start of IP range
44  string endIp; ///< End of IP range
45  int roleId; ///< Role id
46  RoleAccessPolicy policy; ///< Access policy
47  };
48 
49  /** Role-based access control settings */
50  structure RoleAccessControl {
51  boolean enabled; ///< \c true to enable role-based access control
52  RoleAccessPolicy defaultPolicy; ///< Default policy
53  vector<RoleAccessRule> rules; ///< List of access rules
54  };
55 
56  /** Password settings */
57  structure PasswordSettings {
58  boolean enableAging; ///< \c true to enable password aging
59  int agingInterval; ///< Aging interval in days
60  boolean enableStrongReq; ///< \c true to enable strong password requirements
61  int minPwLength; ///< Minimum password length
62  int maxPwLength; ///< Maximum password length
63  boolean enforceLower; ///< Passwords must contain at least one lower case character
64  boolean enforceUpper; ///< Passwords must contain at least one upper case character
65  boolean enforceNumeric; ///< Passwords must contain at least one numeric character
66  boolean enforceSpecial; ///< Passwords must contain at least one special character
67  int pwHistoryDepth; ///< Number of entries in password history
68  };
69 
70  /** SSH authentication settings */
71  structure SSHSettings {
72  boolean allowPasswordAuth; ///< Allow password authentication
73  boolean allowPublicKeyAuth; ///< Allow public key authentication
74  };
75 
76  /** Type of SSH host key */
77  enumeration SSHHostKeyType {
78  SSH_HOST_KEY_TYPE_RSA,
79  SSH_HOST_KEY_TYPE_ECDSA
80  };
81 
82  /** Type of SSH key fingerprint */
83  enumeration SSHKeyFingerprintType {
84  SSH_KEY_FPRINT_TYPE_MD5_HEX,
85  SSH_KEY_FPRINT_TYPE_SHA256_BASE64,
86  SSH_KEY_FPRINT_TYPE_UNKNOWN
87  };
88 
89  /** Fingerprints of SSH host key */
90  structure SSHKeyFingerprint {
91  string fingerprint; ///< Fingerprint of SSH key
92  SSHKeyFingerprintType type; ///< Type of fingerprint
93  };
94 
95  /** SSH host keys */
96  structure SSHHostKey {
97  string key; ///< Public key
98  SSHHostKeyType type; ///< Type of public key
99  vector<SSHKeyFingerprint> fingerprints; ///< Fingerprints of public key
100  };
101 
102  /** Restricted Service Agreement settings */
104  boolean enabled; ///< Enforce Restricted Service Agreement
105  string banner; ///< Restricted Service Agreement Banner
106  };
107 
108  /**
109  * This Event is emitted after any of the password-settings
110  * has been changed
111  */
112  valueobject PasswordSettingsChanged extends event.UserEvent {
113  PasswordSettings oldSettings;
114  PasswordSettings newSettings;
115  };
116 
117  /**
118  * Front panel privileges have been changed
119  */
120  valueobject FrontPanelPrivilegesChanged extends event.UserEvent {
121  vector<string> oldPrivileges; ///< old front panel privileges
122  vector<string> newPrivileges; ///< new front panel privileges
123  };
124 
125  /** %Security configuration interface */
126  interface Security_3_0_2 {
127 
128  constant int ERR_INVALID_VALUE = 1; ///< Invalid arguments
129 
130  /** %Security configuration
131  * This structure is deprecated and will be removed in V3.0,
132  * use concrete getters and setters instead!
133  */
134  structure Settings {
135  boolean http2httpsRedir; ///< \c true to enable HTTP-to-HTTPS redirection
136  int userBlockTimeout; ///< User blocking timeout in minutes
137  int userMaxFailedLogins; ///< Maximum number of failed logins before blocking a user
138  IpFw_2_0_0 ipFw; ///< IP packet filter configuration
139  IpFw_2_0_0 ipV6Fw; ///< IPv6 packet filter configuration
140  RoleAccessControl roleAccessControl; ///< Role-based access control settings
141  RoleAccessControl roleAccessControlV6; ///< Role-based access control settings for IPv6
142  PasswordSettings pwSettings; ///< Password settings
143  int idleTimeout; ///< Session idle timeout in minutes
144  boolean singleLogin; ///< \c true to enable single login limitation
145  SSHSettings sshSettings; ///< SSH authentication settings
146  };
147 
148  /**
149  * Retrieve the security configuration.
150  * This method is depreacted and will be removed in V3.0,
151  * use concrete getter instead!
152  *
153  * @return %Security configuration
154  */
155  [deprecated]
156  Settings getSettings();
157 
158  /**
159  * Set the security configuration.
160  * This method is depreacted and will be removed in V3.0,
161  * use concrete setter instead!
162  *
163  * @param settings New security settings
164  *
165  * @return 0 on success
166  * @return ERR_INVALID_VALUE if any argument was invalid
167  */
168  [deprecated]
169  int setSettings(in Settings settings);
170 
171  /**
172  * Retrieve the current state of the HTTP-to-HTTPS redirection.
173  *
174  * @return \c true if the HTTP-to-HTTPS redirection is enabled
175  */
176  boolean getHttpRedirSettings();
177 
178  /**
179  * Enable or disable HTTP-to-HTTPS redirection.
180  *
181  * @param http2httpsRedir \c true to enable the redirection
182  */
183  void setHttpRedirSettings(in boolean http2httpsRedir);
184 
185  /**
186  * Check whether HTTP Strict Transport Security (HSTS) is enabled
187  *
188  * @return \c true when HSTS is enabled
189  */
190  boolean isHstsEnabled();
191 
192  /**
193  * Enable or disable HTTP Strict Transport Security (HSTS).
194  *
195  * @param enable \c true to enable HSTS
196  */
197  void setHstsEnabled(in boolean enable);
198 
199  /**
200  * Retrieve the IPv4 packet filter configuration.
201  *
202  * @return %IPv4 packet filter configuration
203  */
204  IpFw_2_0_0 getIpFwSettings();
205 
206  /**
207  * Set the IPv4 packet filter configuration.
208  *
209  * @param ipFw New packet filter settings
210  *
211  * @return 0 on success
212  * @return ERR_INVALID_VALUE if any argument was invalid
213  */
214  int setIpFwSettings(in IpFw_2_0_0 ipFw);
215 
216  /**
217  * Retrieve the IPv6 packet filter configuration.
218  *
219  * @return %IPv6 packet filter configuration
220  */
221  IpFw_2_0_0 getIpV6FwSettings();
222 
223  /**
224  * Set the IPv6 packet filter configuration.
225  *
226  * @param ipV6Fw New packet filter settings
227  *
228  * @return 0 on success
229  * @return ERR_INVALID_VALUE if any argument was invalid
230  */
231  int setIpV6FwSettings(in IpFw_2_0_0 ipV6Fw);
232 
233  /**
234  * Retrieve the role-base access control settings for IPv4.
235  *
236  * @return Role-based access control settings
237  */
238  RoleAccessControl getRoleAccessControlSettings();
239 
240  /**
241  * Change the role-based access control settings.
242  *
243  * @param settings New settings
244  *
245  * @return 0 on success
246  * @return ERR_INVALID_VALUE if any argument was invalid
247  */
248  int setRoleAccessControlSettings(in RoleAccessControl settings);
249 
250  /**
251  * Retrieve the role-base access control settings for IPv6.
252  *
253  * @return Role-based access control settings
254  */
255  RoleAccessControl getRoleAccessControlSettingsV6();
256 
257  /**
258  * Change the role-based access control settings for IPv6.
259  *
260  * @param settings New settings
261  *
262  * @return 0 on success
263  * @return ERR_INVALID_VALUE if any argument was invalid
264  */
265  int setRoleAccessControlSettingsV6(in RoleAccessControl settings);
266 
267  /**
268  * Retrieve the current user blocking settings
269  *
270  * @return blockTimeout The block timeout in minutes
271  * @return maxFailedLogins The maximum failure count
272  */
273  void getBlockSettings(out int blockTimeout, out int maxFailedLogins);
274 
275  /**
276  * Change the user blocking settings.
277  *
278  * @param blockTimeout User blocking timeout in minutes
279  * @param maxFailedLogins Maximum number of failed logins
280  *
281  * @return 0 on success
282  * @return ERR_INVALID_VALUE if any argument was invalid
283  */
284  int setBlockSettings(in int blockTimeout, in int maxFailedLogins);
285 
286  /**
287  * Retrieve the password settings.
288  *
289  * @return Password settings
290  */
291  PasswordSettings getPwSettings();
292 
293  /**
294  * Change the password settings.
295  *
296  * @param pwSettings New settings
297  *
298  * @return 0 on success
299  * @return ERR_INVALID_VALUE if any argument was invalid
300  */
301  int setPwSettings(in PasswordSettings pwSettings);
302 
303  /**
304  * Retrieve the current idle timeout.
305  *
306  * @return Idle timeout in minutes
307  */
308  int getIdleTimeoutSettings();
309 
310  /**
311  * Change the session idle timeout.
312  *
313  * @param idleTimeout New idle timeout in minutes
314  *
315  * @return 0 on success
316  * @return ERR_INVALID_VALUE if any argument was invalid
317  */
318  int setIdleTimeoutSettings(in int idleTimeout);
319 
320  /**
321  * Retrieve the current single-login limitation setting.
322  *
323  * @return \c true if single-login limitation is enabled
324  */
325  boolean getSingleLoginLimitation();
326 
327  /**
328  * Enable or disable single login limitation.
329  *
330  * @param singleLogin \c true to enable single login limitation
331  */
332  void setSingleLoginLimitation(in boolean singleLogin);
333 
334  /**
335  * Retrieve the current SSH settings
336  *
337  * @return SSH settings
338  */
339  SSHSettings getSSHSettings();
340 
341  /**
342  * Change the SSH settings
343  *
344  * @param settings New settings
345  */
346  void setSSHSettings(in SSHSettings settings);
347 
348  /**
349  * Retrieve the host SSH keys
350  *
351  * @return SSH host keys
352  */
353  vector<SSHHostKey> getSSHHostKeys();
354 
355  /**
356  * Retrieve the current Restricted Service Agreement settings
357  *
358  * @return Restricted Service Agreement settings
359  */
360  RestrictedServiceAgreement getRestrictedServiceAgreement();
361 
362  /**
363  * Change the Restricted Service Agreement settings
364  *
365  * @param settings New settings
366  *
367  * @return 0 on success
368  * @return ERR_INVALID_VALUE if any argument was invalid
369  */
370  int setRestrictedServiceAgreement(in RestrictedServiceAgreement settings);
371 
372  /**
373  * Retrieve a list of supported privileges for the front panel
374  *
375  * @return List of privilege names
376  */
377  vector<string> getSupportedFrontPanelPrivileges();
378 
379  /**
380  * Retrieve the list of active front panel privileges
381  *
382  * @return List of privilege names
383  */
384  vector<string> getFrontPanelPrivileges();
385 
386  /**
387  * Set the privileges for the front panel
388  *
389  * @return 0 on success
390  * @return ERR_INVALID_VALUE if any argument was invalid
391  */
392  int setFrontPanelPrivileges(in vector<string> privileges);
393 
394  };
395 
396 }
int roleId
Role id.
Definition: Security.idl:45
int maxPwLength
Maximum password length.
Definition: Security.idl:62
SSH host keys.
Definition: Security.idl:96
IP packet filter rule.
Definition: Security.idl:21
Fingerprints of SSH host key.
Definition: Security.idl:90
string ipMask
Remote IP and network mask.
Definition: Security.idl:22
boolean enabled
true to enable role-based access control
Definition: Security.idl:51
boolean enableStrongReq
true to enable strong password requirements
Definition: Security.idl:60
string endIp
End of IP range.
Definition: Security.idl:44
Role-based access rule.
Definition: Security.idl:42
Password settings.
Definition: Security.idl:57
SSHKeyFingerprintType type
Type of fingerprint.
Definition: Security.idl:92
string fingerprint
Fingerprint of SSH key.
Definition: Security.idl:91
IP packet filter configuration.
Definition: Security.idl:27
SSHHostKeyType
Type of SSH host key.
Definition: Security.idl:77
IpfwPolicy
IP packet filter policy.
Definition: Security.idl:14
boolean enforceNumeric
Passwords must contain at least one numeric character.
Definition: Security.idl:65
vector< SSHKeyFingerprint > fingerprints
Fingerprints of public key.
Definition: Security.idl:99
int idleTimeout
Session idle timeout in minutes.
Definition: Security.idl:143
valueobject PasswordSettingsChanged
This Event is emitted after any of the password-settings has been changed.
Definition: Security.idl:113
Access denied.
Definition: Security.idl:38
PasswordSettings pwSettings
Password settings.
Definition: Security.idl:142
Accept the packet.
Definition: Security.idl:15
RoleAccessControl roleAccessControlV6
Role-based access control settings for IPv6.
Definition: Security.idl:141
SSHSettings sshSettings
SSH authentication settings.
Definition: Security.idl:145
Security configuration This structure is deprecated and will be removed in V3.0, use concrete getters...
Definition: Security.idl:134
RoleAccessControl roleAccessControl
Role-based access control settings.
Definition: Security.idl:140
int minPwLength
Minimum password length.
Definition: Security.idl:61
RoleAccessPolicy
Role-based access policy.
Definition: Security.idl:36
boolean enforceSpecial
Passwords must contain at least one special character.
Definition: Security.idl:66
int agingInterval
Aging interval in days.
Definition: Security.idl:59
boolean enabled
Enforce Restricted Service Agreement.
Definition: Security.idl:104
int userBlockTimeout
User blocking timeout in minutes.
Definition: Security.idl:136
boolean http2httpsRedir
true to enable HTTP-to-HTTPS redirection
Definition: Security.idl:135
vector< RoleAccessRule > rules
List of access rules.
Definition: Security.idl:53
string startIp
Start of IP range.
Definition: Security.idl:43
Access granted.
Definition: Security.idl:37
IpfwPolicy defaultPolicyOut
The default policy for outbound traffic in case no rule matches.
Definition: Security.idl:30
SSHKeyFingerprintType
Type of SSH key fingerprint.
Definition: Security.idl:83
boolean enableAging
true to enable password aging
Definition: Security.idl:58
Role-based access control settings.
Definition: Security.idl:50
boolean allowPasswordAuth
Allow password authentication.
Definition: Security.idl:72
boolean allowPublicKeyAuth
Allow public key authentication.
Definition: Security.idl:73
IpfwPolicy policy
Filter policy.
Definition: Security.idl:23
SSHHostKeyType type
Type of public key.
Definition: Security.idl:98
string key
Public key.
Definition: Security.idl:97
IpfwPolicy defaultPolicyIn
The default policy for inbound traffic in case no rule matches.
Definition: Security.idl:29
Discard packet, send error response.
Definition: Security.idl:17
RoleAccessPolicy defaultPolicy
Default policy.
Definition: Security.idl:52
boolean enforceUpper
Passwords must contain at least one upper case character.
Definition: Security.idl:64
boolean enforceLower
Passwords must contain at least one lower case character.
Definition: Security.idl:63
string banner
Restricted Service Agreement Banner.
Definition: Security.idl:105
vector< IpfwRule > ruleSetOut
Ordered list of outbound firewall rules.
Definition: Security.idl:32
SSH authentication settings.
Definition: Security.idl:71
Restricted Service Agreement settings.
Definition: Security.idl:103
vector< string > newPrivileges
new front panel privileges
Definition: Security.idl:122
Security configuration interface
Definition: Security.idl:126
Silently discard the packet.
Definition: Security.idl:16
IpFw_2_0_0 ipFw
IP packet filter configuration.
Definition: Security.idl:138
IpFw_2_0_0 ipV6Fw
IPv6 packet filter configuration.
Definition: Security.idl:139
boolean enabled
true to enable packet filtering
Definition: Security.idl:28
vector< IpfwRule > ruleSetIn
Ordered list of inbound firewall rules.
Definition: Security.idl:31
Security Configuration
Definition: Security.idl:11
int pwHistoryDepth
Number of entries in password history.
Definition: Security.idl:67
boolean singleLogin
true to enable single login limitation
Definition: Security.idl:144
int userMaxFailedLogins
Maximum number of failed logins before blocking a user.
Definition: Security.idl:137
RoleAccessPolicy policy
Access policy.
Definition: Security.idl:46